All geek questions in one place

Protected attribute for javascript cookies

When cookies are created on the client side in javascript by setting document.cookie (), what effect does the β€œsafe” attribute have on them?

In particular:

  • - cookies created by the client sent to the server in the "Cookie:" header of subsequent requests?

  • can be changed by the client using the following Set-Cookie headers from the server?

  • in the case of the previous two questions, considering that yes, the security attribute prevents this if the connection to the server is not HTTPS?

  • if the page not loaded via HTTPS contains javascript that tries to create cookies with a secure attribute, are cookies allowed?

  • Do major browsers do this all in sequence?

+3
source share
1 answer
  • Yes, JavaScript cookies (set via document.cookie =) are sent to the server in the cookie request header.
  • Yes, cookies can be rewritten using the server-supplied Set-Cookie headers.
  • Yes it should be.
  • It should not be.
  • As far as I know, yes, but this should be easy to verify.
+2
source

Source: https://habr.com/ru/post/1716209/

More articles:


All Articles